Exemplo n.º 1
0
        public override void deobfuscateBegin()
        {
            base.deobfuscateBegin();

            if (options.DecryptResources)
            {
                addCctorInitCallToBeRemoved(resourceResolver.InitMethod);
                addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
            }

            decryptResources();
            stringDecrypter.initialize();

            if (Operations.DecryptStrings != OpDecryptString.None)
            {
                if (stringDecrypter.Resource != null)
                {
                    Log.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(stringDecrypter.Resource.Name));
                }
                staticStringInliner.add(stringDecrypter.DecryptMethod, (method, gim, args) => {
                    return(stringDecrypter.decrypt(args));
                });
                DeobfuscatedFile.stringDecryptersAdded();
            }

            if (options.DumpEmbeddedAssemblies)
            {
                assemblyResolver.initialize(DeobfuscatedFile, this);

                // Need to dump the assemblies before decrypting methods in case there's a reference
                // in the encrypted code to one of these assemblies.
                dumpEmbeddedAssemblies();
            }

            if (options.DecryptMethods)
            {
                methodsDecrypter.initialize(DeobfuscatedFile, this);
                methodsDecrypter.decrypt();
            }

            if (options.DecryptConstants)
            {
                constantsDecrypter.initialize(DeobfuscatedFile, this);

                addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
                addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
                int32ValueInliner = new Int32ValueInliner();
                int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0]));
                int64ValueInliner = new Int64ValueInliner();
                int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0]));
                singleValueInliner = new SingleValueInliner();
                singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0]));
                doubleValueInliner = new DoubleValueInliner();
                doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0]));
            }

            proxyCallFixer.find();
            startedDeobfuscating = true;
        }
Exemplo n.º 2
0
        public override void deobfuscateBegin()
        {
            base.deobfuscateBegin();

            resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
            resourceResolver = new ResourceResolver(module, resourceDecrypter);
            assemblyResolver = new AssemblyResolver(module);
            resourceResolver.find();
            assemblyResolver.find();

            decryptResources();
            stringDecrypter.init(resourceDecrypter);
            if (stringDecrypter.Method != null) {
                staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => {
                    return stringDecrypter.decrypt((int)args[0]);
                });
                DeobfuscatedFile.stringDecryptersAdded();
            }

            methodsDecrypter.decrypt(resourceDecrypter);

            if (methodsDecrypter.Detected) {
                if (!assemblyResolver.Detected)
                    assemblyResolver.find();
                if (!tamperDetection.Detected)
                    tamperDetection.find();
            }
            antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
            antiDebugger.find();

            if (options.DecryptConstants) {
                constantsDecrypter.init(resourceDecrypter);
                int32ValueInliner = new Int32ValueInliner();
                int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0]));
                int64ValueInliner = new Int64ValueInliner();
                int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0]));
                singleValueInliner = new SingleValueInliner();
                singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0]));
                doubleValueInliner = new DoubleValueInliner();
                doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0]));
                addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
                addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
            }

            addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
            addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
            addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
            addModuleCctorInitCallToBeRemoved(tamperDetection.Method);
            addCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
            addModuleCctorInitCallToBeRemoved(antiDebugger.Method);
            addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
            addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
            addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
            addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
            addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
            addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
            addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");

            proxyCallFixer.find();

            dumpEmbeddedAssemblies();
        }
Exemplo n.º 3
0
        public override void deobfuscateBegin()
        {
            base.deobfuscateBegin();

            if (options.DecryptResources) {
                addCctorInitCallToBeRemoved(resourceResolver.InitMethod);
                addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
            }

            decryptResources();
            stringDecrypter.initialize();

            if (Operations.DecryptStrings != OpDecryptString.None) {
                if (stringDecrypter.Resource != null)
                    Log.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(stringDecrypter.Resource.Name));
                staticStringInliner.add(stringDecrypter.DecryptMethod, (method, args) => {
                    return stringDecrypter.decrypt(args);
                });
                DeobfuscatedFile.stringDecryptersAdded();
            }

            if (options.DumpEmbeddedAssemblies) {
                assemblyResolver.initialize(DeobfuscatedFile, this);

                // Need to dump the assemblies before decrypting methods in case there's a reference
                // in the encrypted code to one of these assemblies.
                dumpEmbeddedAssemblies();
            }

            if (options.DecryptMethods) {
                methodsDecrypter.initialize(DeobfuscatedFile, this);
                methodsDecrypter.decrypt();
            }

            if (options.DecryptConstants) {
                constantsDecrypter.initialize(DeobfuscatedFile, this);

                addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
                addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
                int32ValueInliner = new Int32ValueInliner();
                int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, args) => constantsDecrypter.decryptInt32((int)args[0]));
                int64ValueInliner = new Int64ValueInliner();
                int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, args) => constantsDecrypter.decryptInt64((int)args[0]));
                singleValueInliner = new SingleValueInliner();
                singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, args) => constantsDecrypter.decryptSingle((int)args[0]));
                doubleValueInliner = new DoubleValueInliner();
                doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, args) => constantsDecrypter.decryptDouble((int)args[0]));
            }

            proxyDelegateFinder.find();
        }
Exemplo n.º 4
0
        public override void deobfuscateBegin()
        {
            base.deobfuscateBegin();

            resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
            resourceResolver  = new ResourceResolver(module, resourceDecrypter);
            assemblyResolver  = new AssemblyResolver(module);
            resourceResolver.find();
            assemblyResolver.find();

            decryptResources();
            stringDecrypter.init(resourceDecrypter);
            if (stringDecrypter.Method != null)
            {
                staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => {
                    return(stringDecrypter.decrypt((int)args[0]));
                });
                DeobfuscatedFile.stringDecryptersAdded();
            }

            methodsDecrypter.decrypt(resourceDecrypter);

            if (methodsDecrypter.Detected)
            {
                if (!assemblyResolver.Detected)
                {
                    assemblyResolver.find();
                }
                if (!tamperDetection.Detected)
                {
                    tamperDetection.find();
                }
            }
            antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
            antiDebugger.find();

            if (options.DecryptConstants)
            {
                constantsDecrypter.init(resourceDecrypter);
                int32ValueInliner = new Int32ValueInliner();
                int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0]));
                int64ValueInliner = new Int64ValueInliner();
                int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0]));
                singleValueInliner = new SingleValueInliner();
                singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0]));
                doubleValueInliner = new DoubleValueInliner();
                doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0]));
                addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
                addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
            }

            addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
            addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
            addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
            addModuleCctorInitCallToBeRemoved(tamperDetection.Method);
            addCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
            addModuleCctorInitCallToBeRemoved(antiDebugger.Method);
            addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
            addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
            addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
            addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
            addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
            addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
            addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");

            proxyCallFixer.find();

            dumpEmbeddedAssemblies();
        }